GlasgowSmile

Target IP: 192.168.152.79

Come for the smiles, stay for the jokes.


Scanning

30e34f8a4ae0a1f6a748f4fe13ed7694.png
There are two TCP ports open on the target machine: SSH and HTTP.


Enumeration

Port 80: HTTP
d5df31cff77e1fdd755da93474ccee2c.png
Running a curl request to this application does not reveal anything useful. From the source-code above, there is only image. Maybe this image contains hidden data?

54ec507625d6a9638974e38d840a4529.png
The webpage above is displayed for this application.

0b070026360fec2cae402f5085e30412.png
Performing a directory search against this application shows there is a Joomla website.

a212a6e52f825e0d7765063cb24ff962.png
Running a droopescan shows the interesting result of the web application.

fff6077a7f9b1be1aa7304ed91cf3284.png
It looks like the host is running Joomla 3.7.3-rc1 version application.

b6aeda0b62db795d3f35583b0defb08c.png
The Joomla webpage above is displayed for this application. There are possible interesting usernames on this page. I performed directory search against this application, but I did not find anything useful. I also tried to login using default credentials, but that did not work either. Time to perform bruteforcing.

165ba5fb965c73ff4f38d1105114ba17.png
I created a list of possible passwords from the main webpage.

8bfe223f73e7efc3812bfa34dfa70c0a.png
The usernames I will use are shown above.

74f86d1e1966828462a2cddc8307dde5.png
8749de2aeefcdddfbeffba99f9cb8da7.png
After using Burpsuite to perform bruteforcing, I got access with the credential joomla:Gotham. Now I am able to access the administrator panel with the login detail.


Exploitation

db76cdb0c78f9456ae59675e8cb5dabf.png
Since I have control over the Templates. I will modify the error.php file with PHP Pentest Monkey reverse shell for the protostar template.

cda25bd3cc8741c8a3bd9d40f69abb48.png
I started a listener on port 8443, and visited http://192.168.152.79/joomla/templates/protostar/error.php to start the reverse shell connection. Now I have a foothold on the target machine.


Privilege Escalation

9d33401f772a08acb486cae97afe0b78.png
I gained the credentials of the MySQL application.

cf534751cc00c8abae9b32d210d27850.png
Using the credentials, I was able to login to the MySQL. There are two interesting databases here: batjoke and joomla_db.

b803644521dc8ed7615b239c5a04cc0d.png
The table taskforce inside batjoke contains the records above. The user rob is interesting because this user exists on this target machine. All the passwords hash look to be in base64 format.

542cfb5a7a893a30ea634342309ae68a.png
After decoding the base64 string, I obtained the password above for the user rob.

c9712ea223f87e13b843e24bdab4cc21.png
And now I have access as the user rob using the password from above.

d73a0af5c84de4a6b70d472501b62214.png
There are interesting files here. The file Abnerineedyourhelp contains an encoded message that looks to be encrypted using Caesar Cipher. And there is also a bas64 string at the end.

cbd912f3ec48c7539e4b420352cffe19.png
Decrypting the encoded string outputs the message above. The message is directed to Abner and the string is the password for this user.

b04ae1457a164c4a22428ba6201562c4.png
After trying to decode the string, I had no luck. After altering the string using rot13, I was finally able to decode the string and obtain the password I33hope99my0death000makes44more8cents00than0my0life0 above.

652114c9dad9c6cf96fd103254a67c7d.png
Now I have access as the user abner using the password.

74fd9d1f31785c4c251ee5101f7ad1f3.png
I tried manual enumeration and I did not find anything. However, using the command find / -writable -type f 2>/dev/null, I found the interesting zip file above.

ca6f8f1ba81c1041731817d81c5713b2.png
I started a Python http.server on the target machine. Then I downloaded this zip file to my local machine.

7ee2bfbf3bdccb18026bc14d8c917d76.png
The zip file is password-protected. I tried using john to crack the password, but I had no luck. When spraying the credential of abner I obtained from previous enumeration, I got success!

b7adce86179c9c6a424e38d3181db166.png
I obtained the file above after extracting the zip file. The second line contains a string. I tried decoding it, but I had no luck. I also tried to decode using the same rot13 function, but I got nothing.

903e93f8318d93f3233f86cfad750e88.png
However, I notice I can use the password without having to decode it. I was able to login as the user penguin with the same string.

bfb5cfbb3721de25001c8f2ca9da3f70.png
I ran pspy64 when I landed a foothold on the machine as www-data. Now I can modify the files above.

fc27a5af1a576df435e343316427ec63.png
There is an interesting file called .trash_old which gets executed. I can put my reverse shell script here to gain a root shell.

14649b022a9f46c86ec58b9bc8c4aef4.png
I gained a root shell, after putting the reverse shell script inside .trash_old. I started a listener on port 8444, and changed the permission of the script to be executable. After some time, I gained a root shell.


Flags

3c9ea3438c9783dc378a38250686a558.png
The local.txt flag once I gained a foothold on the target machine.

2bddc6182dfe0ec748a1bab0e94a07ab.png
The proof.txt flag once I gained a root shell.